Monday, April 12, 2010

ClassGuard UNGUARDED or How to Crack ClassGuard ?

Quote from the site (http://www.jsecurity.net/modules/faq/faq_0003.html?uri=/classguard/index.html&categoryfolder=/modules/faq/) :

How secure is it really?

There is no way of cracking the used 128Bit AES Encryption. As the main part of ClassGuard is written in C, the key can't be extracted using a Java decompiler. However, there may be possibilities to crack the encryption using a debugger on the assembler level. At the moment, no such attempt is known.

Some experts state, it would be possible to crack byte code encryption by hacking some class files of the Java language itsself, e.g. defineClass() in java.lang.ClassLoader. Bytecode encrypted by ClassGuard is passed through to the virtual machine on the native level. The bytecode never appears in any Java class.

Note the underlined (by me) part in red.This is (yet another) proof that security by obscurity is a BAD idea.

Classguard is set of java classes and a native librarythat encrypts/decrypts java programs (.class files).Classesmust be in .jar archive before you encrypt/protect them.

When started ,your java program gets decrypted in memory.The native libraries are located in classguard.jar/lib/ .There are several ,for different OS-es.For windows these arelibcg_x64_win.dllx (64-bit) and lib\libcg_x86_win.dllx (32-bit).

Since library is packed in .jar file,during runtimeit gets unpacked into temporary directory with random name.On windows Xp temp dir is\Documents and Settings\your_username\Local Settings\Temp\.Library code is used to decrypt classes in memory.

"we don't think the described attack is a real threat to ClassGuard as this is a lot of effort to get single class files. For our overall security statement, please have a look at

[their site]

To put it in a nutshell, we think overall security is on the level of native programs, which are also not absolutely safe against these kind of debuggers. Of course another option is to combine ClassGuard and obfuscation, e.g. ProGuard."